Privacy-Enhancing Technology: How to Use It in DevOps

3940 VIEWS

·

Privacy is an important feature in today’s software, and DevOps should focus on it.

Privacy by Design, Privacy-Enhancing Technology and Privacy by Default are all terms associated with privacy and software.

What do they mean, and how do they affect DevOps?

In my last blog post, I explained the meaning of Privacy by Default. In this post, I’ll discuss Privacy Enhancing Technology and explain how we can use it in DevOps.

Privacy-Enhancing Technology and Privacy by Design

As I explained in my previous blogs, Privacy by Design is an approach to systems engineering that takes privacy into account throughout the whole engineering process.

Next to this, Privacy by Default requires IT Operations to configure the privacy settings for its customers’ software in the strictest mode. A user’s consent must be provided when personally identifiable Information (PII) has to be shared with third parties.

So, how does Privacy-Enhancing Technology, a.k.a. PET, relate to this?

The answer is that PET is a system of ICT that measures the protection of informational privacy by eliminating or minimising personal data, thereby preventing unnecessary or unwanted processing of personal data, without the loss of the functionality of the information system.

It increases the control of Personally Identifiable Information (PII) by the end user, eliminating or minimizing the procession of the PII data.

What is important here is that there is no loss of functionality for the system used.

Privacy-Enhancing Technology and DevOps

And now the connection with DevOps becomes clear, because DevOps is all about maintaining  good functionality of the system.

QA is an important part of DevOps.

For QA, test data is necessary, which has to be production-like to mirror the production environment.

However, due to privacy legislation, the use of production data (with a lot of PII) is forbidden.

Data masking, the process of hiding original data with random characters or data, could be used to comply to privacy legislation. Camouflage software is a toolset for data masking,

But why not generate production-like data yourself?

Mockaroo

Mockaroo, an online random data generator, can be used to generate production-like test data for your system (integration) or acceptance tests.

This way you can create ‘test persons’ with production-like PII.

By selecting fieldnames and types of specific test data, your ‘test persons’ can be designed.

Here we will select first name and email address. These represent userName and email in, for instance, a SOAP request.

The amount of ‘test persons’ can be configured by entering the rows in the # Rows text field, and the chosen format (here, CSV) in the Format field. This way, in a short time, you can create a lot of test data.

When the selection is complete, you can download this data by clicking the button Download Data.

This results in the creation of a CSV file.

The CSV file can then be used as a test data repository for further (automated) testing with Selenium or JMeter.

It’s really a PET: No PII from your production data is used. You are still compliant with privacy legislation, and the functionality of your information system is not touched.

Conclusion

Privacy-Enhancing Technology, or PET, is an important part of Privacy by Design.

It increases control of the Personally Identifiable Information (PII) by the end user, eliminating or minimizing the procession of the PII data. And all this without any loss of the functionality of the system used.

A lot of PETs are available.

For DevOps, we reviewed two usable kinds of PETs: data masking (Camouflage) and mocking (Mockaroo) technology.

The mocking technology is particularly usable because, in just a few clicks, a great deal of production-like data can be created for instant use.

This ends my blog series on Privacy by Design.

I hope you enjoyed it and if you have any questions or feedback  you are always free to contact me.


Cordny Nederkoorn is a software test engineer with over 10 years experience in finance, e-commerce and web development. He is also the founder of TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security. Cordny is a regular contributor at Fixate IO. LinkedIn


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu
Skip to toolbar